CVSS: 9.8EPSS: 94%CPEs: 97EXPL: 82CVE-2022-22965 – Spring Framework JDK 9+ Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-22965
01 Apr 2022 — A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Una aplicación Spring MVC o Spring WebFlux que es ejecutada en JDK 9+ puede ser ... • https://packetstorm.news/files/id/167011 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 5%CPEs: 17EXPL: 2CVE-2021-43859 – Denial of Service by injecting highly recursive collections or maps in XStream
https://notcve.org/view.php?id=CVE-2021-43859
01 Feb 2022 — XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as ... • http://www.openwall.com/lists/oss-security/2022/02/09/1 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.5EPSS: 46%CPEs: 71EXPL: 3CVE-2021-44832 – Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
https://notcve.org/view.php?id=CVE-2021-44832
28 Dec 2021 — Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. Las versiones de Apache Log4j2 de la 2.0-beta7 a la 2.17.0 (excluyendo las versiones de corrección de seg... • https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39150 – A Server-Side Forgery Request vulnerability in XStream via PriorityQueue unmarshaling
https://notcve.org/view.php?id=CVE-2021-39150
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framewor... • https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp • CWE-502: Deserialization of Untrusted Data CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.5EPSS: 52%CPEs: 36EXPL: 1CVE-2021-39152 – A Server-Side Forgery Request vulnerability in XStream via HashMap unmarshaling
https://notcve.org/view.php?id=CVE-2021-39152
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framewor... • https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 • CWE-502: Deserialization of Untrusted Data CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39140 – XStream can cause a Denial of Service
https://notcve.org/view.php?id=CVE-2021-39140
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a bl... • https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc • CWE-502: Deserialization of Untrusted Data CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39149 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39149
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39148 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39148
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2 • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39147 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39147
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 43%CPEs: 36EXPL: 0CVE-2021-39146 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39146
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •